By
Rainey Reitman
We have a problem when it comes to stopping mass surveillance.
The entity that’s conducting the most extreme and far-reaching
surveillance against most of the world’s communications—the National
Security Agency—is bound by United States law.
That’s good news for Americans. U.S. law and the Constitution protect
American citizens and legal residents from warrantless surveillance.
That means we have a very strong legal case to challenge mass
surveillance conducted domestically or that sweeps in Americans’
communications.
Similarly, the United States Congress is elected by American voters.
That means Congressional representatives are beholden to the American
people for their jobs, so public pressure from constituents can help
influence future laws that might check some of the NSA’s most egregious
practices.
But what about everyone else? What about the 96% of the world’s
population who are citizens of other countries, living outside U.S.
borders. They don't get a vote in Congress. And current American legal
protections generally only protect citizens, legal residents, or those
physically located within the United States. So what can EFF do to
protect the billions of people outside the United States who are victims
of the NSA’s spying?
For years, we’ve been working on a strategy to end mass surveillance
of digital communications of innocent people worldwide. Today we’re
laying out the plan, so you can understand how all the pieces fit
together—that is, how U.S. advocacy and policy efforts connect to the
international fight and vice versa. Decide for yourself where you can
get involved to make the biggest difference.
This plan isn’t for the next two weeks or three months. It’s a
multi-year battle that may need to be revised many times as we better
understand the tools and authorities of entities engaged in mass
surveillance and as more disclosures by whistle-blowers help shine light
on surveillance abuses.
If you’d like an overview of how U.S. surveillance law works, check out our
addendum.
Intro: Mass Surveillance by NSA, GCHQ and Others
The National Security Agency is working to
collect as much as possible about the digital lives of people worldwide. As the Washington Post
reported,
a former senior U.S. intelligence official characterized former NSA
Director Gen. Keith Alexander’s approach to surveillance as “Collect it
all, tag it, store it… And whatever it is you want, you go searching for
it.”
The NSA can’t do this alone. It relies on a network of international
partners who help collect information worldwide, especially the
intelligence agencies of Australia, Canada, New Zealand, and the United
Kingdom (collectively known, along with the United States, as the “Five
Eyes.”) In addition, the United States has relationships (including
various levels of intelligence data sharing and assistance) with
Belgium, Denmark, France, Germany, Israel, Italy, Japan, the
Netherlands, Norway, Singapore, Spain, South Korea, Sweden, and
potentially a number of other countries worldwide.
There are also other
countries—like Russia, China, and others—engaging in surveillance of
digital communications without sharing that data with the NSA. Some of
those governments, including the U.S. government, are spending billions
of dollars to develop spying capabilities that they use aggressively
against innocent people around the world. Some of them may do so with
even less oversight and even fewer legal restrictions.
Although whistle-blowers and journalists have focused attention on the
staggering powers and ambitions of the likes of the NSA and GCHQ, we
should never assume that other governments lack the desire to join them.
Agencies everywhere are hungry for our data and working to expand their
reach. Read about
international surveillance law reform and fighting back through
user-side encryption.
We focus here on the NSA because we know the most about its
activities and we have the most legal and political tools for holding it
to account. Of course, we need to know much more about surveillance
practices of other agencies in the U.S. and abroad and expand our work
together with our partners around the world to confront surveillance as a
worldwide epidemic.
Mass surveillance is facilitated by technology companies, especially
large ones. These companies often have insufficient or even sloppy
security practices that make mass surveillance easier, and in some cases
may be actively assisting the NSA in sweeping up data on hundreds of
millions of people (for example,
AT&T).
In other cases, tech companies may be legally compelled to provide
access to their servers to the NSA (or they may choose to fight that
access).
Read more about how tech companies can harden their systems against surveillance.
The NSA relies on
several laws as well as a presidential order
to justify its continued mass surveillance. Laws passed by Congress as
well as orders from the U.S. President can curtail surveillance by the
NSA, and the Supreme Court of the United States also has authority to
put the brakes on surveillance.
The Game Plan
Given that the American legal system doesn’t adequately protect the
rights of people overseas, what can we do in the immediate future to
protect Internet users who may not be Americans?
Here’s the game plan for right now. Note that these are not consecutive steps; we’re working on them concurrently.
1. Pressure technology companies to harden their systems against NSA surveillance
To date, there are unanswered questions about the degree to which U.S. technology companies are actively assisting the NSA.
In some cases, we know that tech companies are doing a lot to help
the NSA get access to data. AT&T is a clear example of this. Thanks
to
whistle blower evidence,
we know AT&T has a secret room at its Folsom Street facility in San
Francisco where a fiber optic splitter creates a copy of the Internet
traffic that passes through AT&T’s networks. That splitter routes
data directly to the NSA.
Some companies have taken things a step further and
deliberately weakened or sabotaged their
own products to "enable" NSA spying. We don't know who's done this or
what they've done, but the NSA documents make clear that it's happening.
It's the height of betrayal of the public, and it could conceivably be
taking place with the help even of some companies that are loudly
complaining about government spying.
So what do we know about major tech companies, like Google, Facebook,
Yahoo, and Microsoft? Here we have mixed reports. Documents provided by
Edward Snowden and published in the
Guardian and the
Washington Post
name nine U.S. companies—Microsoft, Yahoo, Google, Facebook, PalTalk,
AOL, Skype, YouTube, and Apple—as participants in the NSA’s PRISM
program. The documents indicate that the NSA has access to servers at
each of these companies, and implies that these companies are complicit
in the surveillance of their users.
The companies, in turn, have
strongly denied these allegations, and have even formed a
lobby group
calling on governments to "limit surveillance to specific, known users
for lawful purposes, and should not undertake bulk data collection of
Internet communications."
While a start, that’s a far cry from the role companies could be
playing. Tech companies also have the ability to harden their systems to
make mass surveillance more difficult, and to roll out features that
allow users to easily encrypt their communications so that they are so
completely secure that even their service providers can’t read them.
Perhaps most importantly, technology companies must categorically resist
attempts to insert back doors into their hardware or software.
There's also an important legal issue that can't be ignored. Tech
companies are in a unique position to know about surveillance requests
that are kept secret from the press and the public. These companies may
have the best chance to fight back on behalf of their users in court (
as Yahoo has done).
What’s more, tech companies literally spend millions of dollars to
lobby for laws in Washington and enjoy incredible access to and
influence over U.S. lawmakers. Often, companies spend that money trying
to derail potential regulation. Instead, these companies could be
heavily prioritizing positive surveillance reform bills.
So how do we get tech companies to start fighting surveillance in
court, hardening their systems against surveillance, pushing back
against the administration, and lobbying for real reform? We’re focused
on transparency—uncovering everything we can about the degree to which
big tech companies are actively helping the government—and public
pressure. That means highlighting ways that companies are fighting
surveillance and calling out companies that fail to stand up for user
privacy.
It’s why we’re proud to support the
Reset the Net
campaign, designed to get companies big and small to take steps to
protect user data. It's also why we're working to make what companies do
and don't do in this area more visible. Campaigns like
HTTPS Everywhere and our work on
email transport encryption, as well as scorecards like
Who Has Your Back are
designed to poke and prod these companies to do more to protect all
their users, and get them to publicly commit to steps that the public
can objectively check.
We also need to cultivate a sense of responsibility on the part of
all those who are building products to which the public entrusts its
most sensitive and private data. The people who create our computing
devices, network equipment, software environments, and so on, need to be
very clear about their responsibility to the users who have chosen to
trust them. They need to refuse to create backdoors and they need to fix
any existing backdoors they become aware of. And they need to
understand that they themselves, unfortunately, are going to be targets
for governments that will try to penetrate, subvert, and coerce the
technology world in order to expand their spying capabilities. They have
a grave responsibility to users worldwide and we must use public
pressure to ensure they live up to that responsibility.
2. Create a global movement that encourages user-side encryption
Getting tech giants to safeguard our digital lives and changing laws
and policies might be slow going, but anybody could start using
encryption in a matter of minutes. From encrypted chat to encrypted
email, from secure web browsing to secure document transfers, encryption
is a powerful way to make mass surveillance significantly more
difficult.
However, encryption can be tricky, especially if you don’t have a
team of engineers to walk you through it the way we do at EFF. With that
in mind, we’ve created
Surveillance Self Defense,
an in-depth resource that explains encryption to folks who may want to
safeguard their data but have little or no idea how to do it.
We’ve already translated the materials into Spanish and Arabic, and we’re working on even more translations.
We’ll continue to expand these materials and translate them into as
many languages as possible, while also doing a public campaign to make
sure as many people as possible read them.
Again, the more people worldwide understand the threat and the more
they understand how to protect themselves—and just as importantly, what
they should expect in the way of support from companies and
governments—the more we can agitate for the changes we need online to
fend off the dragnet collection of data.
3. Encourage the creation of secure communication tools that are easier to use
Many of the tools that are using security best practices are,
frankly, hard to use for everyday people. The ones that are easiest to
use often don’t adopt the security practices that make them resilient to
surveillance.
We want to see this problem fixed so that people don’t have to trade
usability for security. We’re rolling out a multi-stage Campaign for
Secure and Usable Crypto, and we kicked it off with a Secure Messaging
Scorecard. The
Secure Messaging Scorecard
is only looking at a few criteria for security, and the next phases of
the project will home in on more challenging security and usability
objectives.
The goal? Encouraging the development of new technologies that will
be secure and easy for everyday people to use, while also pushing bigger
companies to adopt security best practices.
4. Reform Executive Order 12333
Most people haven’t even heard of it, but Executive Order 12333 is
the primary authority the NSA uses to engage in the surveillance of
people outside the U.S. While Congress is considering much-needed
reforms to the Patriot Act, there’s been almost no debate about
Executive Order 12333.
This executive order was created by a stroke of the pen from
President Ronald Reagan in 1981.
President Obama could undo the worst
parts of this executive order just as easily, by issuing a presidential
order banning mass surveillance of people regardless of their
nationality.
We’ve
already launched the first phase of our campaign to reform Executive Order 12333.
5. Develop guiding legal principles around surveillance and privacy with the help of scholars and legal experts worldwide
The campaign got started well before the Snowden leaks began. It
began with a rigorous policy document called the International
Principles on the
Application of Human Rights to Communications Surveillance,
which features 13 guiding principles about limiting surveillance.
Written by academics and legal experts from across the globe, the
principles have now been endorsed by over 417 NGO's and 350,000
individuals worldwide, and have been the basis for a pro-privacy
resolution successfully passed by the United Nations.
The 13 Principles, as they're also known, are also meant to work both
locally and globally. By giving politicians and activists the context
for why mass surveillance is a violation of established international
human rights law, they make it clear that legalizing mass surveillance—a
path promoted by the Five Eyes countries—is the wrong way forward. The
13 Principles are our way of making sure that the global norm for human
rights in the context of communication surveillance isn't the warped
viewpoint of NSA and its four closest allies, but that of 50 years of
human rights standards showing mass surveillance to be unnecessary and
disproportionate.
6. Cultivate partners worldwide who can champion surveillance reform on the local level, and offer them support and promotion
Katitza Rodriguez, EFF’s International Rights Director, is rarely in
our San Francisco office. That’s because the majority of her time is
spent traveling from country to country, meeting with advocacy groups on
the ground throughout Latin America and parts of Europe to fight for
surveillance law reform. Katitza and the rest of EFF’s international
team assist these groups in working to build country-specific plans to
end mass surveillance at home and abroad.
The goal is to engage activists and lawyers worldwide who can use the
13 Principles and the legal analyses we’ve prepared to support them at
the national level to fight against the on-going trend of increased
surveillance powers. For example, we teamed up with activists in
Australia, Mexico, and Paraguay to help fight data retention mandates in
those countries, including speaking in the Paraguayan National
Congress.
EFF is
especially focused
on countries that are known to share intelligence data with the United
States and on trying to understand the politics of surveillance behind
those data sharing agreements and surveillance law proposals.
We’ve been sharing with and learning from groups across the world a
range of different tactics, strategies, and legal methods that can be
helpful in uncovering and combating unchecked surveillance. Our partners
are starting to develop their own national surveillance law strategies,
working out a localized version of the
Who Has Your Back campaign, evaluating strategic litigation, and educating the general public of the danger of mass surveillance.
In certain locales, these battles are politically and socially
difficult, in particular in places where a culture of fear has permeated
the society. We’ve seen anti-surveillance advocates wrongly painted as
allies of pedophiles or terrorists. In at least one of the countries
we’re working in, anonymity is forbidden in its constitution. For some
of our partners, promoting a rational debate about checking government
power abuses can risk their very freedom, with activists facing jail
time or even more serious consequences for speaking out.
Establishing a bottom-up counter-surveillance law movement—even if
it's one based on common sense and the entire history of modern
democracies—isn't easy. It’s a titanic task that needs the involvement
of advocates around the world with different tactics and strategies that
are complementary. This is why we’ve also been working to make
connections between activists in different countries, with case studies
like the
Counter-Surveillance Success Stories, and highlighting individuals who are proud to stand up and say "
I Fight Surveillance." We’re also teaming up with partners, such as
Panoptykon Foundation,
to share the strategies and tactics they used in Europe with local
groups in Latin America and vice-versa. We're working closely with
groups in the Middle East and North Africa, such as
7iber and
SMEX, to track, report on, and coordinate responses to state surveillance in these regions.
All of this has helped inform the work we've done in venues like the
United Nations, the
Office of the High Commissioner on Human Rights, and the
Inter-American Commission on Human Rights,
where EFF and our allies are helping—with great success—the legal minds
there wrap their heads around this new age of state violations of the
right to privacy and free expression.
Meanwhile, back in Washington...
7. Stop NSA overreach through impact litigation and new U.S. laws
Executive Order 12333 may be the presidential command that sets the
agenda for mass surveillance, but U.S. law also plays a huge role. The
NSA claims (often wrongly) that certain U.S. laws allow surveillance of
all Internet users, with almost zero oversight of its spying on non-U.S.
persons. There's the FISA Amendments Act, which the NSA believes allows
it to spy on groups of people instead of with directed warrants and
scoop up all of the Internet traffic it can, and grants it carte blanche
to target anyone overseas on the grounds that they are potentially
relevant to America's "foreign interests." And then there's the Patriot
Act, which has been loosely interpreted by the NSA to permit the dragnet
surveillance of phone records.
Fighting these laws is the bread and butter of our domestic legal team. Our lawsuits, like
Jewel v. NSA,
aim to demonstrate that warrantless surveillance is illegal and
unconstitutional. Our grassroots advocacy is dedicated to showing
American lawmakers exactly how U.S. law is broken, what must be done to
fix it, and the powerful movement of people working for change.
You can read more details about American law in our
addendum
below, but here's the upshot: we have to fix the law if we're to stop
these secret agencies spying on the world. And we have to make sure that
no new tricks are being planned.
That means chipping away at the culture of secrecy that lies at the heart of this mess.
8. Bring transparency to surveillance laws and practices
One of the greatest challenges we face in attempting to end mass
surveillance is that we don’t know what we don’t know. Thanks to
whistleblower evidence, statements by certain public officials, and years of aggressive litigation under the
Freedom of Information Act,
we’ve confirmed that the NSA is engaged in mass surveillance of our
communications and that it is primarily relying on three legal
authorities to justify this surveillance.
But what if the NSA is relying on seven other legal authorities? What
if there are other forms of surveillance we have not yet heard about?
What if the NSA is partnering with other entities (different countries
or different branches of the U.S. government) to collect data in ways we
can’t imagine?
It’s extremely difficult to reform the world of surveillance when we
don’t have a full picture of what the government is doing and how it’s
legally justifying those actions.
With that in mind, we are working to fight for more transparency by:
- Working to reform the broken classification system, which keeps the government’s actions hidden from public oversight.
- Using Freedom of Information Act requests and lawsuits to gain
access to government documents that detail surveillance practices (and
their legal justifications).
- Helping allies, like Germany and Brazil, to put pressure on the United States to justify its surveillance practices.
- Educating people about the value of whistleblowers and the important
role they play in combating secrecy. This includes advocacy for
organizations and platforms like Wikileaks that defend and promote the
work of whistleblowers. It also includes highlighting the important
contributions provided by whistleblowers like Mark Klein, Bill Binney,
Thomas Drake, Edward Snowden, and others.
Global Solutions for a Global Problem
Mass surveillance affects people worldwide, reaching everywhere that
the Internet reaches (and many places that it doesn’t!). But laws and
court systems are divvied up by jurisdictional lines that don’t make
sense for the Internet today. This means we need a range of tactics that
include impact litigation, technological solutions, and policy changes
both in the United States and across the globe.
This game plan is designed to give you insight into how U.S. laws and
policies affect people worldwide, and how we can work to protect people
outside of America’s borders.
We're up against more than just a few elements in the American
administration here. We're up against a growing despondency about
digital privacy, and we're up against the desire of spooks, autocrats,
and corporations jockeying for intelligence contracts in every nation,
all of whom want to shore up these surveillance powers for themselves.
But we work side-by-side with hundreds of other organizations around the
world and thousands of supporters in nearly every country. We have the
amazing power of technology to protect privacy, organize opposition, and
speak up against such damning violations of human rights.
We’re continuing to refine our plan, but we wanted to help our
friends understand our thinking so you can understand how each of our
smaller campaigns fit into the ultimate objective: secure, private
communications for people worldwide.
It's what we’re doing to fight surveillance. But what can you do?
You can join your local digital rights organization, of which there
are now hundreds, in almost every nation (and if there isn't one in
yours, ask us for advice on starting one). You can pressure companies to
increase your protection against government espionage and support
companies that make a stand.
You can
sign our petition about Executive Order 12333 and help spread the word to others. You can
use encryption
to protect yourself and raise the cost of mass surveillance, and you
can teach your friends and colleagues to use it too. You can personally
refuse to cooperate with surveillance and promote privacy protections
inside institutions you're a part of. You can tell your friends and
colleagues the real risks we are running and how we can turn this mess
around.
And whether you're in the United States or not, you can support our plan by
becoming a member of EFF.
Addendum: Laws & Presidential Orders We Need to Change
One of the best ways to end mass surveillance by the NSA is to change
the United States law to make clear that warrantless surveillance is
illegal. However, that’s a little challenging. The NSA is relying on a
patchwork of different laws and executive orders to justify its
surveillance powers.
Here are a few we know we need to change. Note that there are other
parts of U.S. law that may need revision (including provisions such as
the
Pen Register Trap and Trace and
National Security Letters), but this is where we're focusing our energies currently as the primary known authorities used to justify mass surveillance:
Section 215 of the Patriot Act, Known as the "Business Records" Section
Read the law
What it does: The section of the law basically says that the
government can compel the production of any "tangible things" that are
“relevant" to an investigation.
Why you should care: The NSA relies on this authority to
collect, in bulk, the phone records of millions of Americans. There are
suggestions it's also being used to collect other types of records, like
financial records or credit card records, in bulk as well.
How we can stop it: There are a few ways to fix Section 215. One way is to pass a reform bill, such as the
USA FREEDOM Act,
which would make clear that using Section 215 to conduct bulk
collection is illegal. The USA FREEDOM Act failed to pass in the Senate
in 2014, which means it would need to be reintroduced in 2015.
However, there’s an even easier way to defeat this provision of the
law. This controversial section of the Patriot Act expires every few
years and must be reauthorized by Congress. It’s up for renewal in June
2015, which means Congress must successfully reauthorize the section or
it will cease to be a law. We’re going to be mounting a huge campaign to
call on Congress not to reauthorize the bill.
We also have three legal cases challenging surveillance conducted under Section 215:
Jewel v NSA,
Smith v Obama, and
First Unitarian Church of Los Angeles v. NSA.
Section 702 of the FISA Amendments Act
Read the law
What it does: This section of law is designed to allow the NSA
to conduct warrantless surveillance within the U.S. when the intended
target is overseas.
Why you should care: The NSA relies on this law to support
PRISM, which compels Internet service providers like Google, Apple, and
Facebook to produce its users communications. The NSA's upstream
surveillance—which includes tapping into fiber optic cables of AT&T
and other telecommunications providers—also relies on this provision.
Through these two surveillance options, the NSA "targets" subjects for
surveillance. But even when the NSA is "targeting" specific foreign
intelligence subjects overseas, they’re "incidentally" collecting
communications on millions of people, including both Americans and
innocent people abroad.
How we can stop it: Currently, there aren’t any reform bills
that show promise. We’re working on educating the public and Congress
about the Section 702 and the FISA Amendments Act. In 2017, this
authority will be up for reauthorization. We’ll be planning a big
campaign to demolish this invasive and oft-abused surveillance
authority.
Executive Order 12333
Read the executive order
What it does: Executive orders are legally binding orders
given by the President of the United States which direct how government
agencies should operate. Executive Order 12333
covers
"most of what the NSA does" and is "the primary authority under which
the country’s intelligence agencies conduct the majority of their
operations."
Why you should care: Executive Order 12333 is the primary
authority the NSA uses to conduct its surveillance operations—including
mass surveillance programs—overseas. Reforming mass surveillance
requires reforming the NSA's authority under EO 12333.
How we can stop it: Executive Order 12333 was created by a
presidential order, and so a presidential order could undo all of this
damage. That’s why we’re
pressuring President Obama to issue a new executive order affirming the privacy rights of people worldwide and ending mass surveillance.
The Funding Hack
While passing a bill through Congress is extremely challenging,
another (somewhat more controversial) method of ending this surveillance
is through the budget system. Every year, Congress must approve the
defense budget. This frequently becomes a contentious battle with
numerous amendments introduced and debated. We may see an amendment that
tackles some form of surveillance.
